vMX

 View Only

IMPORTANT MODERATION NOTICE

This community is currently under full moderation, meaning  all posts will be reviewed before appearing in the community. Please expect a brief delay—there is no need to post multiple times. If your post is rejected, you'll receive an email outlining the reason(s). We've implemented full moderation to control spam. Thank you for your patience and participation.



  • 1.  Only send logs of dropped traffic from SRX to Syslog server

    Posted 12-24-2019 07:10

    I have a customer who is receiving tons of logs from his SRX to the Syslog server. He requested only to send logs for the traffic which is dropped, he doesn't care about the permitted traffic. How can I configure this under the Syslog host?


    thanks in advance.


    #syslog
    #SRX


  • 2.  RE: Only send logs of dropped traffic from SRX to Syslog server
    Best Answer

    Posted 12-24-2019 08:32

    If it is a branch SRX (log mode is event) you may try this:

     

    set system syslog host <syslog server ip> any any
    set system syslog host <syslog server ip> match "RT_FLOW_SESSION_DENY"

     



  • 3.  RE: Only send logs of dropped traffic from SRX to Syslog server

    Posted 12-25-2019 06:12

    Thanks, Nellikka for your answer, 

    But if I'm planning to use stram mode, how can I configure to match the "RT_FLOW_SESSION_DENY"



  • 4.  RE: Only send logs of dropped traffic from SRX to Syslog server

    Posted 12-25-2019 18:33

    There is no option to filter only deny logs in stream mode. Since you need only deny/dropped  logs, one workaround is to enable logging only on deny security policies (log session-init) and remove/disable logging from other security policies (ie log session-init and log session close).

     

     

     

     



  • 5.  RE: Only send logs of dropped traffic from SRX to Syslog server

    Posted 12-25-2019 23:29

    thanks for your support, i really appreciate it.